TamperedChef Malvertising Uses US Shell Companies to Sign Trojanized Apps with Valid Certificates, Deploying Stealth Backdoor

Acronis’ Threat Research Unit (TRU) has uncovered a massive global malvertising and SEO-poisoning campaign—dubbed TamperedChef—that distributes fully functional but trojanized applications signed with certificates purchased through U.S.-based shell companies. Once installed, the fake applications deploy scheduled tasks and heavily obfuscated JavaScript backdoors to achieve persistence, remote access, and long-term system control across multiple industries.

TRU’s investigation began in June 2025 but uncovered evidence the campaign had been active long before detection.

Malicious installers are pushed through:

• Bing and Google malvertising
• Fake download sites
• SEO-optimized pages for product manuals, PDF readers, browsers, and even simple games

Acronis’ telemetry reveals the campaign’s global spread, with that data showing that: “Most victims… are in the Americas, with roughly 80% in the United States.”

Industries most affected include:

• Healthcare
• Construction
• Manufacturing

Because, as the report notes: “Users in these industries may often search online for product manuals… one of the behaviors the TamperedChef campaign exploits.”

Acronis identified numerous fake applications—each fully working and appearing legitimate—signed using valid code-signing certificates.

Observed examples include:

• All Manuals Reader
• Manual Reader Pro
• Any Product Manual
• JustAskJacky
• Master Chess

These apps behave like real software:

• Show installation wizards
• Display license agreements
• Launch genuine “Thank you for installing” pages
• Provide functional features

Acronis states: “Each fake application presents itself as a fully functional application and carries a valid signature… adding credibility and helping evade detection.”

TamperedChef operates with a highly organized, business-like pipeline.

Acronis found that the threat actor: “Operates with an industrialized… infrastructure, relying on a network of U.S.-registered shell companies to acquire and rotate code-signing certificates.”

These include generic LLCs such as:

• App Interplace LLC
• Pixel Catalyst Media LLC
• Performance Peak Media LLC
• Unified Market Group LLC

All registered through agent services like Northwest Registered Agent Service, Inc.

The certificate most have already been revoked, with only the newest still active: “Unified Market Group LLC – Valid (As of this writing).” This rapid churn enables continuous re-signing of malware whenever older certificates are flagged.

Once launched, the fake installer drops a malicious task.xml file and creates a scheduled task that:

• Executes immediately
• Repeats every 24 hours
• Adds a random delay of up to 30 minutes
• Runs despite missed triggers
• Blocks simultaneous execution

The report explains: “This new variant uses only a scheduled task for persistence… configured to run a JavaScript… every 24 hours with a random delay.” This ensures stealthy and reliable execution of the heavily obfuscated JavaScript payload.

TRU uncovered two variants of the JavaScript backdoor, both using obfuscator.io, applying:

• Control flow flattening
• Dead-code injection
• Function renaming
• String obfuscation

After partial deobfuscation, TRU found core capabilities:

• Registry manipulation
• Machine fingerprinting
• Encrypted communication with the C2
• Remote code execution

Communication is encrypted. Both samples support remote execution.

Early C2 domains resemble algorithmically generated strings:

• api.78kwijczjz0mcig0f0[.]com
• api.zxg4jy1ssoynji24po[.]com

Later ones intentionally look more legitimate:

• get.latest-manuals[.]com
• app.catalogreference[.]com

Acronis notes this evolution: “The earliest C2 servers used random-looking strings… By mid to late 2025, the C2 servers changed to human-readable names.”

Pivoting from newly discovered C2s revealed even more signed malware tied to new shell companies, showing rapid operational expansion.

Related Posts:

• TamperedChef Malware Rises: Deceptive Apps Use Signed Binaries and SEO Poisoning to Hijack Browsers
• TamperedChef Malware: Fake PDF Editor Stole Credentials After Two Months of Covert Operation
• Critical Flaws in Acronis Cyber Protect Expose Sensitive Data: CVSS 10 Vulnerabilities Patched
• OpenAI to Retain Non-Profit Structure, Focus on Societal Impact
• Acronis TRU Uncovers Surge in ScreenConnect Abuse with Dual-RAT Deployment